Australian businesses that involve banking, communications, energy, resources, transport and water have good cyber security measures in place, argues this report, but with some shortcomings such as a reluctance to report cyber security incidents.
The 2013 CERT Australia Cyber Crime and Security Survey was designed and conducted to obtain a better understanding of how cyber incidents are affecting the businesses that partner with CERT Australia.
These are the businesses that form part of Australia’s systems of national interest, including critical infrastructure. They underpin the social and economic wellbeing of the nation and deliver essential services, including banking and finance, communications, energy, resources, transport and water.
The findings from this survey build on the baseline data from the 2012 CERT Australia Cyber Crime and Security Survey. The findings provide a more comprehensive picture of the current cyber security measures businesses have in place, the recent cyber incidents they have identified, their reporting of them, and their concerns about cyber threats.
The findings also identify potential vulnerabilities and areas where organisations can make improvements to strengthen their cyber resilience. Responses were received from 135 partner businesses. Importantly, they are continuing to take cyber security seriously. This is essential for individual businesses and their clients, as well as the industry sector, and the business community more broadly.
Overall, organisations have good cyber security measures in place, including policies and standards, as well as a range of technologies and mitigation strategies. Of note, 79% of organisations report they are implementing the Top 4 mitigation strategies released by the Australian Signals Directorate (ASD). However, the use of application whitelisting (one of the Top 4) as a mitigation strategy is relatively low.
It is important that strong cyber security measures are in place, as there has been an overall increase in the number of cyber security incidents identified by organisations – from 56 organisations in 2012 to 76 organisations in 2013.
Most of the incidents were in the form of targeted emails, followed by virus or worm infection and trojan or rootkit malware. This is consistent with the finding that respondents viewed cyber security incidents to be targeted at their organisation, rather than random or indiscriminate.
Of concern, 61% of organisations do not have cyber security incidents identified on their risk register. This may be linked with the identified need for management and CEOs to improve their IT security skills and practices – and perhaps awareness.
Of note, the number of organisations that chose not to report cyber security incidents to an outside agency has increased – from 44% in 2012 to 57% in 2013.
Responses indicate that Australian businesses are yet to be convinced about the benefit of reporting, but also that many incidents are considered too minor to report.
This finding reinforces the need for CERT Australia and other agencies to actively promote the benefits of reporting cyber security incidents.